Merge branch 'rust-u2f-seed'

Author: benma

src/keystore.c

@@ -532,21 +532,6 @@ bool keystore_secp256k1_sign(
     return true;
 }
 
-bool keystore_get_u2f_seed(uint8_t* seed_out)
-{
-    if (keystore_is_locked()) {
-        return false;
-    }
-    uint8_t bip39_seed[64] = {0};
-    UTIL_CLEANUP_64(bip39_seed);
-    if (!keystore_copy_bip39_seed(bip39_seed)) {
-        return false;
-    }
-    const uint8_t message[] = "u2f";
-    rust_hmac_sha256(bip39_seed, 64, message, sizeof(message), seed_out);
-    return true;
-}
-
 #ifdef TESTING
 void keystore_mock_unlocked(const uint8_t* seed, size_t seed_len, const uint8_t* bip39_seed)
 {

src/keystore.h

@@ -179,13 +179,6 @@ USE_RESULT bool keystore_secp256k1_sign(
     uint8_t* sig_compact_out,
     int* recid_out);
 
-/**
- * Get the seed to be used for u2f
- * @param seed_out Buffer for seed, must be KEYSTORE_U2F_SEED_LENGTH
- * @return true if succes
- */
-USE_RESULT bool keystore_get_u2f_seed(uint8_t* seed_out);
-
 #ifdef TESTING
 /**
  * convenience to mock the keystore state (locked, seed) in tests.

src/rust/bitbox02-rust/src/keystore.rs

@@ -23,10 +23,9 @@ use bitbox02::keystore;
 
 use util::bip32::HARDENED;
 
-use crate::hash::Sha512;
 use crate::secp256k1::SECP256K1;
 
-use hmac::{Mac, SimpleHmac, digest::FixedOutput};
+use bitcoin::hashes::{Hash, HashEngine, Hmac, HmacEngine, sha512};
 
 /// Returns the keystore's seed encoded as a BIP-39 mnemonic.
 pub fn get_bip39_mnemonic() -> Result<zeroize::Zeroizing<String>, ()> {
@@ -138,12 +137,12 @@ pub fn root_fingerprint() -> Result<Vec<u8>, ()> {
 
 fn bip85_entropy(keypath: &[u32]) -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
     let priv_key = secp256k1_get_private_key_twice(keypath)?;
-    let mut mac = SimpleHmac::<Sha512>::new_from_slice(b"bip-entropy-from-k").unwrap();
-    mac.update(&priv_key);
-    let mut out = zeroize::Zeroizing::new(vec![0u8; 64]);
-    let fixed_out: &mut [u8; 64] = out.as_mut_slice().try_into().unwrap();
-    mac.finalize_into(fixed_out.into());
-    Ok(out)
+
+    let mut engine = HmacEngine::<sha512::Hash>::new(b"bip-entropy-from-k");
+    engine.input(&priv_key);
+    Ok(zeroize::Zeroizing::new(
+        Hmac::from_engine(engine).to_byte_array().to_vec(),
+    ))
 }
 
 /// Computes a BIP39 mnemonic according to BIP-85:
@@ -224,6 +223,19 @@ pub fn secp256k1_schnorr_sign(
     Ok(sig.serialize())
 }
 
+/// Get the seed to be used for u2f
+#[cfg(feature = "app-u2f")]
+pub fn get_u2f_seed() -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
+    let bip39_seed = keystore::copy_bip39_seed()?;
+
+    let mut engine = HmacEngine::<bitcoin::hashes::sha256::Hash>::new(&bip39_seed);
+    // Null-terminator for backwards compatibility from the time when this was coded in C.
+    engine.input(b"u2f\0");
+    Ok(zeroize::Zeroizing::new(
+        Hmac::from_engine(engine).to_byte_array().to_vec(),
+    ))
+}
+
 /// # Safety
 ///
 /// keypath pointer has point to a buffer of length `keypath_len` uint32 elements.
@@ -243,6 +255,18 @@ pub unsafe extern "C" fn rust_secp256k1_get_private_key(
     }
 }
 
+#[cfg(feature = "app-u2f")]
+#[unsafe(no_mangle)]
+pub extern "C" fn rust_keystore_get_u2f_seed(mut seed_out: util::bytes::BytesMut) -> bool {
+    match get_u2f_seed() {
+        Ok(seed) => {
+            seed_out.as_mut().copy_from_slice(&seed);
+            true
+        }
+        Err(_) => false,
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -584,7 +608,7 @@ mod tests {
                 test.expected_xpub,
             );
             assert_eq!(
-                hex::encode(keystore::get_u2f_seed().unwrap()),
+                hex::encode(get_u2f_seed().unwrap()),
                 test.expected_u2f_seed_hex,
             );
         }

src/rust/bitbox02-sys/build.rs

@@ -73,7 +73,6 @@ const ALLOWLIST_FNS: &[&str] = &[
     "keystore_create_and_store_seed",
     "keystore_encrypt_and_store_seed",
     "keystore_get_bip39_word",
-    "keystore_get_u2f_seed",
     "keystore_is_locked",
     "keystore_lock",
     "keystore_mock_unlocked",

src/rust/bitbox02/src/keystore.rs

@@ -220,16 +220,6 @@ pub fn encrypt_and_store_seed(seed: &[u8], password: &str) -> Result<(), Error>
     }
 }
 
-// Currently only used in the functional tests below.
-#[cfg(feature = "testing")]
-pub fn get_u2f_seed() -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
-    let mut seed = zeroize::Zeroizing::new([0u8; 32].to_vec());
-    match unsafe { bitbox02_sys::keystore_get_u2f_seed(seed.as_mut_ptr()) } {
-        true => Ok(seed),
-        false => Err(()),
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;

src/u2f.c

@@ -257,7 +257,7 @@ USE_RESULT static bool _keyhandle_gen(
     uint8_t hmac_in[U2F_APPID_SIZE + U2F_NONCE_LENGTH];
     uint8_t seed[32];
     UTIL_CLEANUP_32(seed);
-    if (!keystore_get_u2f_seed(seed)) {
+    if (!rust_keystore_get_u2f_seed(rust_util_bytes_mut(seed, sizeof(seed)))) {
         return false;
     }